[Satosa-dev] signed authn requests

Hello, We are using SATOSA primarily as a SAML-to-SAML proxy. One of the IdPs that federated with the proxy requires signed authn requests. I do not see that the current verion of SATOSA allows one to configure that authn requests sent to a particular IdP are signed. Please let me know if I am incorrect. The underlying pysaml2 library, of course, does support sending a signed authn request. It also supports the option "authn_requests_signed": "Indicates if the Authentication Requests sent by this SP should be signed by default. This can be overriden by application code for a specific call." I suspect SATOSA would pass through the authn_requests_signed option to pysaml2 already, but I am more interested in being able to control signing on a per-IdP basis, rather than making it the default for all IdPs. Patching SATOSA so that one could configure signing for particular IdPs looks straightforward. I suspect the largest issue would be the configuration (yaml) syntax.

My proposal is that saml2_backend.yaml look like this for such a scenario (leaving out the other options and boilerplate): module: satosa.backends.saml2.SAMLBackend name: Saml2 config: sp_config: service: sp: relying_parties: https://some.idp/entityid: authn_requests_signed: True https://another.idp/entityid: authn_requests_signed: True This format would be easy to extend over time to enable per-relying party overrides for the options that pysaml2 allows to be configured per flow.

Thoughts? Thanks, Scott K _______________________________________________ Satosa-dev mailing list Satosa-dev at lists.sunet.se https://lists.sunet.se/listinfo/satosa-dev